TL;DR
Application security has become one of the most popular career paths within the cybersecurity industry. Driven by the continuous growth of apps and our increasing reliance on them for everything from basic productivity tools to critical aspects of our infrastructure, AppSec experts, as well as the army of ethical hackers and penetration testers that work alongside them, are now in high demand. In fact, the U.S. Bureau of Labor Statistics predicts this role will grow by 33 percent in the next decade — far faster than the average rate of growth.
Perhaps because of this newfound popularity, a number of misconceptions have gained traction around the role. For instance, there are those who think that application security and ethical hacking are purely technical roles that don’t require extensive communication skills. Likewise, some believe that it’s simply a matter of reviewing code, hunting down flaws, and reporting them. In both cases, the reality can be much more complex.
So what’s application security really like? To find out, I chatted with Clint Kehr, one of our own Cybrary instructors and an AppSec expert. Here’s what he had to say.
Application security can be political
At its core, application security is simply about finding vulnerabilities in applications and fixing them so that they remain secure. Although this sounds straightforward enough, determining which vulnerabilities to prioritize and address first can actually be quite tricky.
“Normally, we prioritize repairs based on severity,” Kehr said. “And severity is typically based on the common vulnerability scoring system (CVSS).” However, Kehr pointed out that those CVSS scores can be broad and open to interpretation. “You’re actually not just going off of the scores. You’re adjusting them based on your analysis of the vulnerability. And that’s where people can get into debates.”
These debates can take multiple forms. For example, if pen testers and ethical hackers are getting paid based on the severity of the vulnerabilities they find, downgrading a score can affect how much money they earn, potentially setting up a conflict. Even more common is when AppSec priorities interfere with development priorities. Whereas you’re focusing on improving security, they may be more focused on getting a minimally viable product to market quickly. Or simply to make money.
The takeaway? For Kehr, being good at his job means maintaining open lines of communication with the larger team at all times. “There can be this belief from some development teams that security is there to hinder them from getting things done,” he said. “It can get political.”
A development background isn’t necessary
Considering the whole point of application security and ethical hacking is to comb through software code for potential weaknesses, it would make sense that a development background would be a plus. And it certainly can be — but Kehr doesn’t think it is essential.
“You know, I didn't come into cybersecurity from a developer background,” he said. Instead, Kehr got his start in cyber intelligence. As a police officer, he worked with teams that infiltrated the dark web and combed through illegal marketplaces. Although Kehr admitted that developers may have initially had a leg up on him when he pivoted, he now credits his nontraditional background with helping to differentiate him.
“I had to get my hands dirty,” he said. “I feel like a lot of people, especially as they move higher, are afraid to do the hands-on work because it's something that they could fail at.” But, Kehr emphasized, failing is something you need to learn to be good at. “If you're not okay with failing, you're not going to do well in offensive security because you're going to find that you fail a lot.”
The lesson Kehr takes from this is that if you want to get into AppSec or pentesting or ethical hacking, don’t be afraid to take a non-linear path. “Maybe you work in a SOC first or maybe you work on a vault management team. Whatever it is, I think that it can add perspective.”
The best never stop learning
As an application security specialist, Kehr gets to work directly with plenty of pentesters and ethical hackers. Although they all have different strengths and focus areas — some might be better at risk management whereas others succeed more at dynamic testing — there is one quality among the best of them that Kehr singled out.
“The most successful people that I work with have a thirst for knowledge,” he said. “If someone's just taking the knowledge that they learned about 20 years ago, they're going to be way behind. You really have to always be learning and always be curious and not afraid to fail.”
One doesn’t have to look far to confirm Kehr’s hunch. In a study by ISACA, an impressive 82 percent of businesses that prioritized continuous cybersecurity education for their employees reported lower incident rates, faster recovery times, and improved security positions. Largely, this is due to the fact that ongoing awareness helps security professionals pay attention to details they might otherwise miss.
“How do you stay sharp and maintain your edge when you're looking at all this detailed code and these different applications?” Kehr asked. “Especially as applications continue to get more complex and vulnerabilities increase.” The answer, for Kehr, is to never stop learning.
Prepare for your application security career with Cybrary
Application security is a growing field, making now the perfect time to start preparing. Fortunately, Cybrary’s extensive course catalog gives you all you need to stay on track. Browse through our full catalog or request a demo for your team to start accessing our curriculum — including our knowledgeable Cybrary mentors.
